Security awareness & training policy

Information security policy

Information security awareness and training

Policy summary
This policy specifies an information security awareness and training program to inform and motivate
all workers regarding their information risk, security, privacy and related obligations.

Applicability
This policy applies throughout the organization as part of the corporate governance framework. It
applies regardless of whether or not workers use the computer systems and networks, since
workers are expected to protect all forms of information asset including computer data, written
materials/paperwork and intangible forms of knowledge and experience. This policy also applies to
third-party employees working for the organization whether they are explicitly bound (e.g. by
contractual terms and conditions) or implicitly bound (e.g. by generally held standards of ethics and
acceptable behavior) to comply with our information security policies.

Policy detail
Background
Technical IT security (cybersecurity) controls are a vital part of our information security framework
but are not in themselves sufficient to secure all our information assets. Effective information
security also requires the awareness and proactive support of all workers, supplementing and
making full use of the technical security controls. This is obvious in the case of social engineering
attacks and frauds, for example, which directly target vulnerable humans rather than IT and network
systems.
Lacking adequate information security awareness, workers are less likely to recognize or react
appropriately to information security threats and incidents and are more likely to place information
in danger through ignorance and carelessness.
Whereas ‘awareness’ implies a basic level of understanding about a broad range of information
security matters, ‘training’ implies more narrowly-focused and detailed attention to one or more
specific topics. Training tends to be delivered through classroom or online courses, while awareness
tends to be delivered by multiple communications methods such as seminars, case studies, written
briefing and reference materials (for self-motivated study), posters and conversations. Awareness
provides the foundation level of knowledge and understanding for training to build upon. In other
words, security awareness and training are complementary approaches.

Policy axiom (guiding principle)

In order to protect valuable information, all workers must be informed about relevant, current
information security matters, and motivated to fulfill their information security obligations.

Copyright © 2018 IsecT Ltd. Page 1 of 4

 Security awareness & training policy

Detailed policy requirements

1. An information security awareness program should ensure that all workers achieve and
maintain at least a basic level of understanding of information security matters, such as general
obligations under various information security policies, standards, procedures, guidelines,
laws, regulations, contractual terms plus generally held standards of ethics and acceptable
behavior.
2. Additional training is appropriate for workers with specific obligations towards information
security that are not satisfied by basic security awareness, for example Information Risk and
Security Management, Security Administration, Site Security and IT/Network Operations
personnel. Such training requirements must be identified in workers’ personal training plans
and funded accordingly. The particular training requirements will reflect workers’ relevant
prior experience, training and/or professional qualifications, as well as anticipated job needs.
3. Security awareness and training activities should commence as soon as practicable after
workers join the organization, for instance through attending information security
induction/orientation classes. The awareness activities should continue on a
continuous/rolling basis thereafter in order to maintain a reasonably consistent level of
awareness of current issues and challenges in this area.
4. Where necessary and practicable, security awareness and training materials should suit their
intended audiences in terms of their styles, formats, complexity, technical content etc. For
example, some people prefer to read written descriptions and instructions while others prefer
to be shown things or have them demonstrated. Some like to read words, others prefer
diagrams and pictures. Non-technical workers are unlikely to understand or appreciate highly
technical awareness content, while their technical colleagues may well need the full details in
order to understand exactly what they are being asked to do. Everyone needs to know why
information security is so important, but the motivators may be different for workers
concerned only about their own personal situations or managers with broader responsibilities
to the organization and their staff.
5. Information Security’s intranet site (the Security Zone) is the focal point for security awareness,
providing information and guidance on a wide variety of information security matters. It is the
definitive source of current information security policies, standards, procedures and
guidelines. However, workers with limited intranet access must also be kept suitable informed
by other means such as seminars, briefings and courses.
6. A range of compliance measures must be undertaken to achieve widespread compliance with
various information security obligations. While the details vary according to the specific nature
of those obligations including the risks associated with non-compliance, management
anticipates a mixture of routine, periodic and ad hoc compliance activities such as
management oversight, reviews and audits, which may include checking workers’ uptake of
security awareness and training opportunities, awareness test results and other metrics.

Copyright © 2018 IsecT Ltd. Page 2 of 4

 Security awareness & training policy

Responsibilities and accountabilities

• The Chief Information Security Officer/Information Security Manager is accountable for
running an effective information security awareness and training program that informs and
motivates workers to help protect the organization’s information assets, and third-party
information (including personal data) in our care.
• Information Security Management is responsible for developing and maintaining a
comprehensive suite of information security policies (including this one), standards,
procedures and guidelines that are to be mandated and/or endorsed by management where
applicable. Working in conjunction with other corporate functions, it is also responsible for
running suitable awareness, training and educational activities to raise awareness and aide
understanding of workers’ responsibilities identified in applicable policies, laws, regulations,
contracts etc.
• Help Desk is responsible for helping workers on basic information risk, security, privacy and
related matters, liaising with experts from functions such as Information Security
Management, Site Security, Human Resources, Risk Management, Legal and Compliance
where necessary.
• Managers are responsible for ensuring that their staff and other workers within their remit
participate in the information security awareness, training and educational activities where
appropriate.
• Workers are personally accountable for complying with applicable policies, laws and
regulations at all times.
• Internal Audit is authorized to assess compliance with this and other corporate policies at any
time.

Related policies, standards, procedures and guidelines

Item Relevance
Describes the organization’s Information Security Management
Information security policy System and a suite of information security controls based on the
manual good security practices recommended by ISO/IEC 27001 and
ISO/IEC 27002
Information governance, Awareness and training are essential if workers are to know,
information risk management, understand, appreciate and fulfil their responsibilities towards
information classification, information risk management, information security and
incident reporting and various cybersecurity, reporting incidents, resisting social engineering
cybersecurity policies attacks, avoiding malware, patching systems etc.
Awareness and training give workers the information and
Oversight and assurance
motivation to fulfil various expectations and obligations relating
policies
to information security
Business Continuity Workers’ need to understand their roles following serious
Management policy incidents and disasters

Copyright © 2018 IsecT Ltd. Page 3 of 4

 Security awareness & training policy

Item Relevance
These amplify and explain the information security policies,
Information security standards,
providing greater detail on particular topics and/or pragmatic
procedures and guidelines
advice for particular audiences
A broad range of information security awareness and training
materials is available from the Security Zone or from
Information security
Information Security, covering both general security matters
awareness and training
and more specific security topics; the materials are proactively
materials
maintained to maintain relevant to the ever-changing
information security risk and control landscape

Further information
For general advice on information risk and security matters, speak to your manager, contact the
Help Desk or browse the intranet Security Zone. Contact Information Security or Human Resources
for more specific advice and assistance.

Important note from IsecT Ltd.

This is neither legal nor security advice. It is a generic policy template that does not reflect your
organization’s particular information security risks, control requirements and constraints.

Copyright © 2018 IsecT Ltd. Page 4 of 4